1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-25 01:34:28 +03:00
Commit Graph

619 Commits

Author SHA1 Message Date
Daan De Meyer
831f208783 core: Add support for renaming credentials with ImportCredential=
This allows for "per-instance" credentials for units. The use case
is best explained with an example. Currently all our getty units
have the following stanzas in their unit file:

"""
ImportCredential=agetty.*
ImportCredential=login.*
"""

This means that setting agetty.autologin=root as a system credential
will make every instance of our all our getty units autologin as the
root user. This prevents us from doing autologin on /dev/hvc0 while
still requiring manual login on all other ttys.

To solve the issue, we introduce support for renaming credentials with
ImportCredential=. This will allow us to add the following to e.g.
serial-getty@.service:

"""
ImportCredential=tty.serial.%I.agetty.*:agetty.
ImportCredential=tty.serial.%I.login.*:login.
"""

which for serial-getty@hvc0.service will make the service manager read
all credentials of the form "tty.serial.hvc0.agetty.xxx" and pass them
to the service in the form "agetty.xxx" (same goes for login). We can
apply the same to each of the getty units to allow setting agetty and
login credentials for individual ttys instead of globally.
2024-07-31 15:52:27 +02:00
Lennart Poettering
c06b84d816 man: clarify what TTYReset= and TTYVTDisallocate= do and do not do regarding screen clearing 2024-07-19 11:44:04 +02:00
Mike Yuan
9d50d053f3
core: expose PrivateTmp=disconnected
As discussed in https://github.com/systemd/systemd/pull/32724#discussion_r1638963071

I don't find the opposite reasoning particularly convincing.
We have ProtectHome=tmpfs and friends, and those can be
pretty much trivially implemented through TemporaryFileSystem=
too. The new logic brings many benefits, and is completely generic,
hence I see no reason not to expose it. We can even get more tests
for the code path if we make it public.
2024-06-21 17:31:44 +02:00
Maximilian Wilhelm
163bb43cea man/systemd.exec: list inaccessible files for ProtectKernelTunables 2024-06-20 03:00:59 +09:00
Luca Boccassi
0e551b04ef core: do not imply PrivateTmp with DynamicUser, create a private tmpfs instead
DynamicUser= enables PrivateTmp= implicitly to avoid files owned by reusable uids
leaking into the host. Change it to instead create a fully private tmpfs instance
instead, which also ensures the same result, since it has less impactful semantics
with respect to PrivateTmp=yes, which links the mount namespace to the host's /tmp
instead. If a user specifies PrivateTmp manually, let the existing behaviour
unchanged to ensure backward compatibility is not broken.
2024-06-17 17:05:55 +01:00
Kamil Szczęk
608bfe76c1 core: populate $REMOTE_ADDR for AF_UNIX sockets
Set the $REMOTE_ADDR environment variable for AF_UNIX socket connections
when using per-connection socket activation (Accept=yes). $REMOTE_ADDR
will now contain the remote socket's file system path (starting with a
slash "/") or its address in the abstract namespace (starting with an
at symbol "@").

This information is essential for identifying the remote peer in AF_UNIX
socket connections, but it's not easy to obtain in a shell script for
example without pulling in a ton of additional tools. By setting
$REMOTE_ADDR, we make this information readily available to the
activated service.
2024-06-12 00:11:10 +01:00
Mike Yuan
6b34871f5d
core/exec-credential: complain louder if inherited credential is missing
Also document that a missing inherited credential
is not considered fatal.

Closes #32667
2024-05-07 22:02:42 +08:00
Mike Yuan
45a36ecff9
man/systemd.exec: mount_switch_root uses pivot_root rather than chroot 2024-04-27 14:28:54 +08:00
Guido Leenders
f445ed3c5f Document effective owner of stdout/stderr log file upon creation
The log files defined using file:, append: or truncate: inherit the owner and other privileges from the effective user running systemd.

The log files are NOT created using the "User", "Group" or "UMask" defined in the service.
2024-04-22 20:46:25 +02:00
Yu Watanabe
6bd3102e3e man: fix typo
Follow-up for fef46ffb5b.
2024-04-23 01:42:11 +09:00
Lennart Poettering
fef46ffb5b man: document that ReadOnlyPaths= doesn't affect ability to connect to AF_UNIX
Fixes: #23470
2024-04-22 15:16:54 +02:00
Lennart Poettering
04366e0693 man: document that StateDirectory= trumps ProtectSystem=strict explicitly
Fixes: #29798
2024-04-22 15:16:54 +02:00
Lennart Poettering
552dc4a97c man: document explicitly that LogExtraFields= and LogFilterPatterns= are for system service only for now
Fixes: #29956
2024-04-22 15:16:54 +02:00
Lennart Poettering
3c7f0d6b44 man: explicitly say that BindPaths=/BindReadOnlyPaths= opens a new mount
namespace

Fixes: #32339
2024-04-22 15:16:54 +02:00
Frantisek Sumsal
ad444dd8e8 man: slightly reword LogFilterPatterns= description
As there was something missing in the existing sentence.
2024-04-15 17:16:18 +02:00
Ole Peder Brandtzæg
712514416e man: remove PrivateMounts= from list of other settings in its own description
The diff looks bigger, but that's only because it seemed fitting to
reformat the paragraph now that the list is shorter.
2024-04-14 08:04:12 +09:00
Luca Boccassi
622efc544d core: add support for vpick for ExtensionDirectories= 2024-02-17 11:20:00 +00:00
Luca Boccassi
5e79dd96a8 core: add support for vpick for ExtensionImages= 2024-02-17 11:20:00 +00:00
Luca Boccassi
7fa428cf44 man: create reusable snippet for 'vpick' entries 2024-02-17 11:20:00 +00:00
Winterhuman
6c6ec5f728 Improve IgnoreSIGPIPE description
Reword the description of the `IgnoreSIGPIPE=` service option to be more grammatical.
2024-02-14 17:31:18 +00:00
Zbigniew Jędrzejewski-Szmek
f7862b2a00 tree-wide: use normal spelling of "reopen"
It's a commonly used verb meaning "to open again".
2024-02-09 17:57:41 +01:00
Lennart Poettering
7704c3474d man: document new user-scoped credentials 2024-01-30 17:07:47 +01:00
Lennart Poettering
7d93e4af80 man: document the new vpick concept 2024-01-03 18:38:46 +01:00
David Tardon
eea10b26f7 man: use same version in public and system ident. 2023-12-25 15:51:47 +01:00
David Tardon
13a69c120b man: use <simplelist> for 'See also' sections
This is just a slight markup improvement; there should be no difference
in rendering.
2023-12-23 08:28:57 +01:00
Lennart Poettering
d1a5be82ef core: imply SetLoginEnvironment= if PAMName= is set
This geneally makes sense as setting up a PAM session pretty much
defines what a login session is.

In context of #30547 this has the benefit that we can take benefit of
the SetLoginEnvironment= effect without having to set it explicitly,
thus retaining some compat of the uid0 client towards older systemd
service managers.
2023-12-21 10:14:21 +01:00
Lennart Poettering
b6be6a6721 man: document explicitly tha ReadWritePaths= cannot undo superblock read-only settings
Fixes: #29266
2023-11-09 09:39:12 +01:00
Luca Boccassi
00666ec71f
Merge pull request #6763 from kinvolk/iaguis/no-new-privs
core: allow using seccomp without no_new_privs when unprivileged
2023-11-07 21:34:49 +00:00
Zbigniew Jędrzejewski-Szmek
be57c17625 man: link to new btrfs website for btrfs man pages
https://archive.kernel.org/oldwiki/btrfs.wiki.kernel.org/index.php/Manpage/btrfs(5).html
says "This wiki has been archived and the content is no longer updated."
and redirects to https://btrfs.readthedocs.io/en/latest/btrfs-man5.html.
Let's move all the btrfs links to btrfs.readthedocs.io.
2023-11-07 18:35:04 +01:00
Iago López Galeiras
24832d10b6 core: allow using seccomp without no_new_privs when unprivileged
Until now, using any form of seccomp while being unprivileged (User=)
resulted in systemd enabling no_new_privs.

There's no need for doing this because:

* We trust the filters we apply
* If User= is set and a process wants to apply a new seccomp filter, it
will need to set no_new_privs itself

An example of application that might want seccomp + !no_new_privs is a
program that wants to run as an unprivileged user but uses file
capabilities to start a web server on a privileged port while
benefitting from a restrictive seccomp profile.

We now keep the privileges needed to do seccomp before calling
enforce_user() and drop them after the seccomp filters are applied.

If the syscall filter doesn't allow the needed syscalls to drop the
privileges, we keep the previous behavior by enabling no_new_privs.
2023-11-07 11:31:53 +01:00
Zbigniew Jędrzejewski-Szmek
bf63dadbc6 man: more hyperlinks and other fixes
Closes https://github.com/systemd/systemd/issues/29814.
2023-11-06 20:16:34 +01:00
Zbigniew Jędrzejewski-Szmek
c8cd6d7bab man: use meaningful titles for <ulink>s
As pointed out in https://github.com/systemd/systemd/issues/29814, we need to
use phrases are are meaningful on their own, because the man page formatter
creates a list at the bottom. With <ulink>see docs</ulink>, we end up with:
  NOTES:
    1. see docs
       https://some.url/page
    2. see docs
       https://some.url/page2
which is not very useful :(

Also, the text inside the tag should not include punctuation.

Python helper:
  from xml_helper import xml_parse
  for p in glob.glob('../man/*.xml'):
       t = xml_parse(p)
       ulinks = t.iterfind('.//ulink')
       for ulink in ulinks:
           if ulink.text is None: continue
           text = ' '.join(ulink.text.split())
           print(f'{p}: {text}')
2023-11-06 20:16:34 +01:00
Michal Koutný
788b7e7630 man: Add remarks about StandardInput=socket and sd_listen_fds()
It confuses users when they cannot find respective environment variables
with config that is supposes for (x)inetd activated service only.

Fix: #29670
2023-10-31 13:08:45 +01:00
Joerg Behrmann
cf37171890 credentials: document that their path is stable for system services 2023-10-20 11:44:46 +01:00
Reto Schneider
b1b16aa977 man/systemd.exec: Update service result table
exec-condition and oom-kill were added without updating this table.
2023-10-12 12:30:21 +02:00
Mike Yuan
3759a17418 man/systemd.exec: document behavior of SetLoginEnvironment= when unset
Follow-up for 854eca4a95

Addresses https://github.com/systemd/systemd/pull/29493#discussion_r1351980046
2023-10-10 12:08:32 +01:00
Mike Yuan
854eca4a95
core/execute: always set $USER and introduce SetLoginEnvironment=
Before this commit, $USER, $HOME, $LOGNAME and $SHELL are only
set when User= is set for the unit. For system service, this
results in different behaviors depending on whether User=root is set.

$USER always makes sense on its own, so let's set it unconditionally.
Ideally $HOME should be set too, but it causes trouble when e.g. getty
passes '-p' to login(1), which then doesn't override $HOME. $LOGNAME and
$SHELL are more like "login environments", and are generally not
suitable for system services. Therefore, a new option SetLoginEnvironment=
is also added to control the latter three variables.

Fixes #23438

Replaces #8227
2023-10-10 00:00:26 +08:00
Mike Yuan
723c3cd03c
man/systemd.exec: document that API fs are required to setup namespacing
Closes #27997
2023-10-05 05:31:05 +08:00
Mike Yuan
6460a89a1b
man/systemd.exec: suffix one more directory with / 2023-10-05 05:31:05 +08:00
Abderrahim Kitouni
aefdc1124f man: update version information
As I noticed a lot of missing information when trying to implement checking
for missing info. I reimplemented the version information script to be more
robust, and here is the result.

Follow up to ec07c3c80b
2023-09-19 00:37:37 +01:00
Zbigniew Jędrzejewski-Szmek
67da7e9a4f man: make the description of fd storage a bit more accessible
The text is split into paragraphs about specific topics. The advice
and recommendations parts are moved to the end.
2023-09-15 09:00:23 +02:00
Abderrahim Kitouni
ec07c3c80b man: add version info
This tries to add information about when each option was added. It goes
back to version 183.

The version info is included from a separate file to allow generating it,
which would allow more control on the formatting of the final output.
2023-08-29 14:07:24 +01:00
Maanya Goenka
d07246a621 documentation: add man page data for confext 2023-08-16 19:19:44 +01:00
Luca Boccassi
b0d3095fd6 Drop split-usr and unmerged-usr support
As previously announced, execute order 66:

https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html

The meson options split-usr, rootlibdir and rootprefix become no-ops
that print a warning if they are set to anything other than the
default values. We can remove them in a future release.
2023-07-28 19:34:03 +01:00
Erik Sjölund
6870daff03 man: fix typos 2023-07-27 09:54:43 +01:00
Luca Boccassi
3f37a82545 core: copy the host's os-release for /run/host/os-release
Currently for portable services we automatically add a bind mount
os-release -> /run/host/os-release. This becomes problematic for the
soft-reboot case, as it's likely that portable services will be configured
to survive it, and thus would forever keep a reference to the old host's
os-release, which would be a problem because it becomes outdated, and also
it stops the old rootfs from being garbage collected.

Create a copy when the manager starts under /run/systemd/propagate instead,
and bind mount that for all services using RootDirectory=/RootImage=, so
that on soft-reboot the content gets updated (without creating a new file,
so the existing bind mounts will see the new content too).

This expands the /run/host/os-release protocol to more services, but I
think that's a nice thing to have too.

Closes https://github.com/systemd/systemd/issues/28023
2023-07-18 17:26:02 +01:00
Zbigniew Jędrzejewski-Szmek
84214541fa Revert "pid1: order units using TTYVHangup= after vconsole setup"
This reverts commit e019ea738d.

In the new approach, a lock on /dev/console will be used. This lock will solve
the issue for services which run in early boot. Services which run later are
ordered after sysinit.target, so they'll run much later anyway so this
automatic dependency is not useful. Let's remove it again to make the code
simpler.
2023-07-12 15:54:33 +02:00
Lennart Poettering
de70ecb328 import-creds: add support for binary credentials specified on the kernel cmdline 2023-07-04 23:19:48 +02:00
Lennart Poettering
0dea5b7719 import-creds: define a new dir where initrd configurators can pass credentials to host 2023-07-04 22:59:07 +02:00
Zbigniew Jędrzejewski-Szmek
da89046643 tree-wide: "<n>bit" → "<n>-bit"
In some places, "<n> bits" is used when more appropriate.
2023-07-02 11:10:12 +01:00